Before configuring iptables, you must ensure that this machine DNS and routing have been equipped, and this machine can access the Internet normally. Otherwise, please do not start iptables. IPTables Configuration The purpose of IPTables, one is to prevent the public invasion, one is to access the brothers of the intranet. Before you have no match, only the unit can go online. There is a "security level" in the "System Settings" of RH8.0, which is mainly for this machine, and cannot use it to configure iptables. Open the "Security Level" and put it into a "no firewall" level. For configuration, the test is convenient, you can use "kWrite" to edit a "script", use "copy", "paste" mode, and paste all statements to "terminal". This is very convenient to modify the test. Open "KWRITE" in "Other" - "Secure Facilities", enter the sample or paste below (where Eth0, Eth1 is outside, intranet card): Echo "Enable IP Forwarding ..." Echo 1> / proc / sys / net / ipv4 / ip_forwardecho "Starting iptables rules ..." / sbin / modprobe iptable_filter / sbin / modprobe ip_tables / sbin / modprobe iptable_nat / sbin / modprobe ip_nat_ftp; support passive FTP / sbin / modprobe ip_conntrack_ftp; / sbin / modprobe ip_conntrack_h323; support NETMEETING / sbin / modprobe ip_nat_h323; iptables -F INPUTiptables -F FORWARDiptables -F OUTPUTiptables -F POSTROUTING -t natiptables -F PREROUTING -t natiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPTiptables -A INPUT - I lo -j acceptiptables -a input -i eth1 -j acceptiptables -a input -i eth0 -m state --state established, Related -j Acceptiptables -a forward -j accept.168.0.0.0/24 -j acceptables -a forward -i Eth0 -m State --State Established, Related -j Acceptiptables -t Nat -a PostRouting -O Eth0 -s 192.168.0.0.0/24 -j masquerade / etc / rc.d / init.d / iptables restartiptables -L freely A file is placed on the desktop for easy use. In this configuration, the default value for Input and forwarding Forward features is rejected (DROP), which means that there is no indication in the back of the INPUT and Forward statements that will be rejected through (accept). This is the best security model, through the online test of Symantec, all public ports are hidden. Note that all intranet ports are open, and there is no security within this machine. I don't have much statement, and the last sentence is to display the link result after the execution. After each modification, all the entire statements are copied, and then pasted into the "terminal", it will automatically configure, start, display once. Reprically modify, test until you reach your request.
